Fresh off my unfortunate experience of having my GMail and Facebook accounts hacked–resulting in an overwhelming task of simultaneously allaying fears, changing passwords, and canceling credit cards–I’ve lately been wondering how to design for panic. In the sense of, how does one design a software interface (especially web-based UI accessed by literally millions per day, say like…Facebook or GMail :-) towards supporting that once-in-a-lifetime, super rare but incredibly urgent use case of “oh crap! i’ve been hacked! now what??”. I grant it’s not a common use case, but it’s perhaps the most urgent one when it does happen.
When you’re panicked, your body and mind start to shut down, fueled by surging adrenaline and so forth, focusing like a laser beam on your immediate survival and defense goals. No patience for dancing clowns across my screen or banner Flash movie ads, or survey pop-ups. Nor any patience to “figure out a UI”–I just want that damn “emergency button”–whatever that may be, RIGHT NOW!! In that powerful, all-consuming time of panic, I want a gigantic red loud Staples Easy button, screw aesthetics and elegance and all that. Because when you’ve been hacked, speed and timing are of the essence to get things back under your control. To relieve anxiety and stress. To regain that comforting normalcy of just everyday clicking links and scanning pages. To know that everything is OK.
How can a design (and the designer) address such a hopefully rare yet urgent case? In my situation, I had to go through every site’s navigational structure (menus, tabs, links) to ascertain where I could quickly a) change my password and b) report a hack/phish attack on my account. Or if there’s a search field, I just used that to short-circuit the confusing navigational paths, and hopefully get “the right link” that i desperately needed!
A few quick, easy fixes come to mind for making all this smoother:
** On the login screen below the usual credentials fields, have explicit links for “change password” and “been hacked?” (in addition to “forgot my password”…b/c when you’ve realized you’ve been hacked the first thing you feel you ought to do–out of fear– is try to change your password and get access back in.)
** Standardized universal location in upper left/right a link for “change password” and “been hacked? click here”
** Duplicate those links in the page footer as well
** Robust search field where typing in “change password” or “i’ve been hacked” calls up the correct links. That really should be use case number one, IMHO.
Of course, there should be multiple levels of security for changing your password, or reporting suspected hack/phish attack on your account. The form for filling out a phish/hack attack should be extremely short and sweet, with all required fields at the very top, boldly labeled, in large field type size (again, physiological affects of panic, pupils shrink, small type harder to parse, with your heart racing 100 mph, simply got “no time to think”, you just want to get it done ASAP!) and any optional fields below the fold, or in a separate collapsible section.
I found the Google hack/phish report form way too long, with required fields all over the page which I had to scroll down, etc. asking things like “last 5 email addresses used” and “when I started using GMail”–huh? who remembers that when you’re freaking out??
Also of great help would be some friendly, empathetic “counseling tips”, about what to do if you think you’ve been hacked/phished and how to protect yourself RIGHT NOW. It’s a traumatic crisis situation. So what are the top actions you should do RIGHT NOW? Call the FBI? Call your credit card companies? Call home and let mom/dad know you’re not really mugged and stranded in London? All three? Whew!
Another idea: How about helping the hapless victim by sharing the burden of notifying key people via SMS or email from a temporary “emergency account” or sending out a voice recorded message (your voice) to your friends’ phones? Of course all of this will require multiple security levels to prove it’s you and not someone monkeying around creating more chaos. I’m just brainstorming on the fly, but there must be ways to handle these situations, simply, efficiently, and creatively.
Being hacked/phished may sound like a minor annoyance that only happens to Internet newbies with hillbilly accents, but if and when it happens to you (and it will), it’s an incredibly serious violation of trust, confidence, security, etc. (And more on that soon…) It can be an emotionally traumatic moment of dire panic as you realize potentially EVERYTHING is now in the hands of someone who could be highly sophisticated and malicious or just a bored teenager. But at that moment, you don’t care. You just want to fix things NOW. So as designers we should leverage our empathic and imaginative abilities to help shape a smooth handling of those moments of online panic whenever they occur.